Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 4 pypi packages depend on mlflow (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.9.0.
DescriptionCVE.org
A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The _create_webhook() function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the _send_webhook_request() function in mlflow/webhooks/delivery.py sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the MLflow backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation on the webhook URL enables exploitation, potentially leading to cloud credential theft, internal network access, and data exfiltration.
AnalysisAI
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to arbitrary URLs, including internal services and cloud metadata endpoints (e.g., AWS EC2 metadata at 169.254.169.254). Affects MLflow versions prior to 3.9.0. The webhook creation endpoint accepts unvalidated user-controlled URLs that are later used in HTTP POST requests, enabling cloud credential theft, internal network reconnaissance, and data exfiltration. Vendor-released patch available in MLflow 3.9.0, confirmed by GitHub commit 64aa0ab. No active exploitation confirmed (not in CISA KEV), but publicly disclosed with detailed technical analysis from huntr.com.
Technical ContextAI
MLflow is an open-source platform for managing machine learning lifecycles, including experiment tracking and model deployment. The vulnerability exists in the webhook delivery mechanism implemented in Python. The _create_webhook() function in mlflow/server/handlers.py accepts a URL parameter from authenticated users without validation. This URL is stored and later used by _send_webhook_request() in mlflow/webhooks/delivery.py to send HTTP POST requests. The lack of input sanitization against CWE-918 (Server-Side Request Forgery) allows attackers to specify internal network addresses (RFC1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8, ::1), link-local addresses (169.254.0.0/16 including cloud metadata endpoints), and other non-routable ranges. The fix in version 3.9.0 implements URL scheme validation (HTTPS-only), hostname resolution via socket.getaddrinfo(), and IP address classification using Python's ipaddress module to reject non-global addresses using the is_global property. An environment variable MLFLOW_WEBHOOK_ALLOW_PRIVATE_IPS provides override capability for local development environments.
RemediationAI
Upgrade to MLflow version 3.9.0 or later, which implements comprehensive SSRF protection including HTTPS-only URL scheme validation, hostname resolution checks, and IP address classification to block private, loopback, link-local, and reserved addresses. The fix is confirmed in commit 64aa0ab7207f9c649b59ba1a5f40d82196817389 available at https://github.com/mlflow/mlflow/commit/64aa0ab7207f9c649b59ba1a5f40d82196817389. If immediate patching is not feasible, implement network-level controls: deploy egress filtering rules to block MLflow server outbound connections to RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and cloud metadata endpoints (169.254.169.254/32), though this may break legitimate webhook integrations requiring internal network access. Restrict webhook creation permissions to highly trusted administrative users only via MLflow's permission model. Monitor MLflow logs for webhook creation events and HTTP request patterns targeting suspicious destinations. Note that the workaround firewall rules must block DNS resolution to private IPs, not just direct IP literals, as attackers can use DNS rebinding or public domains resolving to internal addresses. Audit existing webhooks for suspicious URLs using the MLflow API or database inspection before deploying the patch, as the fix validates URLs at delivery time for pre-existing webhooks.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29093
GHSA-65h7-c7c4-mghx